Open in app

Sign in

Write

Sign in

CloudnSec

Home

Newsletter

About

Follow publication

CloudnSec

We talk about Cloud, Cyber Security and adjacent technologies.

Follow publication

Microsoft Defender for Endpoint on Linux — Manual Scan Tips

Deploying and managing Defender for Endpoint on linux at Scale is something you’ll have to use linux management tools, think of Puppet or Ansible. Manual is an option, but not ideal at scale.

However, there is definitely a use case for manual operations and troubleshooting of the agent — especially locally at and endpoint — that’s why there’s a powerful Command line interface built into the agent.

and the magic all happens behind the initial command:

mdatp

It’s all fun uphill from there!

MDE Linux Command Flowchart

Always referring bac kto original and official guidance in Microsoft Learn, of course.

Investigate agent health issues | Microsoft Learn

From it I managed to verify all the local commands available for MDE in supported linux endpoints.

So I created this Flowchart to help understand what kind of commands you can isue locally and what kind of settings can be configured locally too.

Source: MDE in linux tests and trial.

You can find this in my Github also. The mermaid format is available there too, please attribute if you re-use/build upon.

The key point here is that settings can be changed, but also reports and actions taken — with the proper credentials, of course.

Settings

Settings include any changes to how the agent operates locally anc incldue scan settings, monitoring, EDR, Network configuration. etc.

Actions

What I call actions are to the operation of the local agent, think of active instructions such as starting a manual scan, for example:

Outputs

Lastly, what I call “Outputs” are commands that create inline reports/results, for example checking out scan results via command line:

Summary

As a result of this short learning exercise, you can infer and understand that you can create powerful policies to exclude specific files / paths to be verified.

And that the most powerful local command is

mdatp health

Check it out yourself! 😉

Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo

Consider subscribing to Medium (here) to access more content that will empower you!

Thank you for reading and leave your thoughts/comments!

References

Scattered throughout the document.

Microsoft
Cybersecurity
Management
Linux
Servers
CloudnSec
CloudnSec

Published in CloudnSec

38 Followers
Last published Dec 8, 2024

We talk about Cloud, Cyber Security and adjacent technologies.

Andre Camillo, CISSP
Andre Camillo, CISSP

Written by Andre Camillo, CISSP

1.1K Followers
77 Following

Cloud, AI and Cyber Security tech, Career, Growth Mindset. Find my Discord &more: https://linktr.ee/acamillo . Architect @Crowdstrike. Opinions are mine!

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams